CRII: SaTC: Robust Explainable Provenance-based Intrusion Detection

CRII：SaTC：鲁棒、可解释、基于来源的入侵检测

• 批准号: 2245442
• 负责人: Xueyuan Vanbastelaer
• 金额: $ 17.5万
• 依托单位: Wake Forest University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-03-15 至 2024-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2245442&HistoricalAwards=false
• 关键词: CRII; SaTC; Robust; Explainable; Provenance

Modern intrusion detection systems detect ongoing cyberattacks based on the knowledge of a computer system’s activity history, also known as data provenance. However, deploying them in the real world is challenging. The project’s novelties are the development of a next generation intrusion detection system that not only accurately identifies an intrusion but precisely diagnoses its root cause and method of attack, even in the presence of an attacker who actively tries to evade detection. The project’s broader significance and importance are (1) delivering timely solutions to real-world cybersecurity threats increasingly faced by both the U.S. government and large corporations that affect the security and privacy of millions, (2) fostering a collaborative security community by organizing a workshop on building and disseminating reproducible intrusion detection experiments, and (3) training first-generation and LGBTQ students to improve the representation of members from underrepresented groups in the security workforce.The project addresses three challenges that imperil the efficacy and practical adoption of provenance-based intrusion detection systems. First, they cannot explain precisely the cause and progression of an attack. Second, they are ineffective when an attacker purposefully tries to evade them. Third, they require an abundance of provenance data that is difficult to obtain. To address these problems, this project designs a novel intrusion detection system that leverages machine learning to highlight anomalous computer activity indicating an intrusion. The machine learning algorithm focuses on making sense of the attack to reduce manual effort to triage intrusion alerts. To expose the shortcomings of existing intrusion detection systems, the project first studies new intrusion strategies that simultaneously attack a host computer system and evade detection. A counter measure technique that introduces randomness and strengthens robustness in learning is then incorporated into the machine learning pipeline to mitigate such attacks. Finally, the project leverages software engineering and program analysis techniques to synthesize benign provenance data to train the intrusion detection system and integrates these techniques into an automated framework to facilitate data generation. A successful project will advance state-of-the-art endpoint intrusion detection and response solutions, improve analyst experience, and enhance the security of cyberinfrastructure critical to the government and other organizations.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

现代入侵检测系统基于计算机系统的活动历史（也称为数据出处）的知识来检测正在进行的网络攻击。然而，在真实的世界中部署它们是具有挑战性的。该项目的创新之处在于开发了下一代入侵检测系统，该系统不仅可以准确识别入侵，而且可以精确诊断其根本原因和攻击方法，即使存在主动试图逃避检测的攻击者。该项目更广泛的意义和重要性是：（1）为美国政府和大公司日益面临的影响数百万人安全和隐私的现实网络安全威胁提供及时的解决方案;（2）通过组织一个关于构建和传播可复制入侵检测实验的研讨会，以及（3）培训第一代和LGBTQ学生，以提高安全劳动力中代表性不足的群体的成员的代表性。该项目解决了三个挑战，这些挑战危及基于出处的入侵检测系统的有效性和实际采用。首先，它们无法准确解释攻击的原因和进展。第二，当攻击者有目的地试图避开它们时，它们是无效的。第三，它们需要大量难以获得的来源数据。为了解决这些问题，该项目设计了一种新型的入侵检测系统，利用机器学习来突出指示入侵的异常计算机活动。机器学习算法专注于理解攻击，以减少人工分流入侵警报的工作。为了暴露现有入侵检测系统的缺点，该项目首先研究了新的入侵策略，同时攻击主机系统和逃避检测。然后，将引入随机性并增强学习鲁棒性的对策技术纳入机器学习管道中，以减轻此类攻击。最后，该项目利用软件工程和程序分析技术来合成良性的起源数据来训练入侵检测系统，并将这些技术集成到一个自动化的框架中，以促进数据生成。一个成功的项目将推进最先进的端点入侵检测和响应解决方案，改善分析人员的体验，并增强对政府和其他组织至关重要的网络基础设施的安全性。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Unleashing Unprivileged eBPF Potential with Dynamic Sandboxing

• DOI: 10.1145/3609021.3609301
• 发表时间: 2023-08
• 期刊: Proceedings of the 1st Workshop on eBPF and Kernel Extensions
• 作者: S. Lim;Xueyuan Han;Thomas Pasquier

Sometimes, You Aren't What You Do: Mimicry Attacks against Provenance Graph Host Intrusion Detection Systems

• DOI: 10.14722/ndss.2023.24207
• 发表时间: 2023
• 期刊: Proceedings 2023 Network and Distributed System Security Symposium
• 作者: Akul Goyal;Xueyuan Han;G. Wang;Adam Bates

Splice: Efficiently Removing a User's Data from In-memory Application State

• DOI: 10.1145/3576915.3623070
• 发表时间: 2023-11
• 期刊: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Xueyuan Han;James Mickens;Siddhartha Sen